Combination of bugs in WordPress and WooCommerce allows website hijacking

A flaw in how WordPress handles privileges can be exploited to take control of a domain

A flaw in the WordPress process to manage user privilege assignments can be exploited to allow a malicious actor to hijack WooCommerce websites, as reported by specialists in digital forensics from the International Institute of Cyber Security.

The security problem in the Content Management System (CMS) was discovered by Simon Scannell, a cybersecurity and digital forensics researcher, who said in a blog post that this design error specifically affects WooCommerce, a popular WordPress plugin that has been downloaded over four million times.

“The vulnerability allows store managers to delete certain files on the server and then take control over any administrator account”, the investigator says in his security report.

According to reports from information security and digital forensics specialists, this plugin has been developed by Automattic and is a free e-commerce system for websites based on WordPress.

Scannell found the file deletion bug in the software which, by itself, is not considered a critical flaw, since the greatest damage an attacker could cause would be to remove the index.php pages and cause a denial of service (DDoS) condition. However, when combined with the flaw in the WordPress design, this becomes a critical security error.

This problem in WordPress, which continues without being patched, derives from the way in which the CMS assigns capacities to different roles.

When it’s defined the store manager role that uses this plugin, the edit_userscapability is configured to allow users with these privileges to edit client accounts. Even if the plugin is disabled, this account privilege is stored in the central WordPress database.

By default, the edit_users function allows the account holder to edit any user, including administrator accounts. To prevent this from being abused, WooCommerce specifies that you can only edit accounts with the client role, but these metadata additions, possible thanks to the current_user_can() functionality, are only active when the plugin is enabled.

That’s where the problem lies. Because the flaw in the WordPress design maintains the store manager function stored separately from the plugin, if WooCommerce is disabled, attackers who can access one of these accounts are not limited by changes in metadata.

“This means that if WooCommerce was disabled for some reason, the privilege check that restricts administrators from editing other admins store would not run, producing this default behavior in the plugin allowing the editing of any user’s information”, says Scannell. “This would allow store managers to update the password for the administrator account and then control the entire site”.

If a threat actor is able to successfully perform a phishing campaign and get the credentials of a store admin account or use XSS vulnerability for the same purpose, then the attack string becomes possible.